Michael S. Tsirkin writes:
QEMU 1.5.0 out-of-bounds buffer write in virtio_net_load()@hw/net/virtio-net.c
This code is in hw/net/virtio-net.c:
if (n->max_queues > 1) {
if (n->max_queues != qemu_get_be16(f)) {
error_report("virtio-net: different max_queues ");
return -1;
}
n->curr_queues = qemu_get_be16(f);
for (i = 1; i < n->curr_queues; i++) {
n->vqs[i].tx_waiting = qemu_get_be32(f);
}
}
Number of vqs is max_queues, so if we get invalid input here,
for example if max_queues = 2, curr_queues = 3, we get
write beyond end of the buffer, with data that comes from
wire.
This might be used to corrupt qemu memory in hard to predict ways.
An user able to alter the savevm data (either on the disk or over the wire
during migration) could use this flaw to to corrupt QEMU process memory on
the (destination) host, which could potentially result in arbitrary code
execution on the host with the privileges of the QEMU process.
Upstream fix:
-------------
-> http://git.qemu.org/?p=qemu.git;a=commit;h=eea750a5623ddac7a61982eec8f1c93481857578

Statement:
This issue does not affect the versions of kvm package as shipped with
Red Hat Enterprise Linux 5.
This issue does not affect the versions of qemu-kvm package as shipped
with Red Hat Enterprise Linux 6.